Add Azure platform detection to the translator#2183
Open
movence wants to merge 5 commits into
Open
Conversation
a563d67 to
f75cc53
Compare
jefchien
reviewed
Jul 1, 2026
f75cc53 to
d3cb5fa
Compare
jefchien
reviewed
Jul 2, 2026
Contributor
There was a problem hiding this comment.
We'll want to have a separate transform configuration for Azure, but that can be done in a separate PR if you want.
jefchien
reviewed
Jul 6, 2026
Comment on lines
+119
to
+125
| // Azure VM/AKS (AKS resolves to ModeAzureVM) reaches AWS only via oidctoken->sigv4 web identity, which needs role_arn. | ||
| if context.CurrentContext().Mode() == config.ModeAzureVM { | ||
| if agent.Global_Config.Role_arn == "" { | ||
| return nil, errors.New("credentials.role_arn is required on Azure VM/AKS for the oidctoken web-identity credential chain") | ||
| } | ||
| pipelines.Translators.Extensions.Set(oidctoken.NewTranslator()) | ||
| } |
Contributor
There was a problem hiding this comment.
Feel like this should be defined in a pipeline that actually uses it. Either the opentelemetry one or some other one. For example, if I run this on Azure with something that doesn't use the sigv4auth extension, the oidctoken extension isn't actually being used.
ca45a7a to
f39901a
Compare
jefchien
reviewed
Jul 7, 2026
1d895aa to
149f638
Compare
jefchien
reviewed
Jul 7, 2026
okankoAMZ
reviewed
Jul 7, 2026
| // hasSigv4auth reports whether a sigv4auth extension is present, i.e. some pipeline will consume the oidctoken file. | ||
| func hasSigv4auth(extensions common.ComponentTranslatorMap) bool { | ||
| for _, id := range extensions.Keys() { | ||
| if id.Type().String() == "sigv4auth" { |
Contributor
There was a problem hiding this comment.
Can we use sigv4authextension.NewFactory().Type() instead of hardcoding?
149f638 to
1892de0
Compare
jefchien
previously approved these changes
Jul 7, 2026
1892de0 to
995937d
Compare
Detect Azure VM (via Azure IMDS 169.254.169.254 /metadata/instance with the mandatory "Metadata: true" header) and AKS (via the RUN_IN_AKS env var set by the AKS Helm chart), then drive the generated OTEL config from the detected platform with no customer input: - New translator/util/azuredetector package: cached IMDS probe (bounded timeout, transient-error retry, redirect refusal, compute-body validation, proxy disabled for the link-local address) + RUN_IN_AKS env signal. - AWS-first mode resolution: Azure is only considered after every AWS signal (RUN_IN_AWS, IRSA, EC2, ECS) is exhausted; EKS keeps precedence over AKS. AKS nodes resolve to the AzureVM host mode. - resourcedetection emits [azure, env] for Azure VM and [aks, env] for AKS. - oidctoken extension wired on Azure VM (Provider=azure) to obtain a bearer token from Azure IMDS for telemetry egress. Adds unit tests (httptest mock IMDS + env stubs), context mode handling, and golden tocwconfig fixtures for Azure VM and AKS.
…omment - oidctoken output_token_file derives from target platform (fixes Windows CI) - guard EC2 ARN cloud.resource_id transform with cloud.provider == aws - correct azuredetector retry comment (all errors retryable, not cached)
…ce_id guard - sigv4auth sets assume_role.web_identity_token_file to the oidctoken path for AzureVM - guard EC2 cloud.resource_id transform with cloud.platform == aws_ec2 (was cloud.provider == aws, which fired on ECS/EB/Lambda) - move oidc token file to the agent etc dir - add AzureVMWithRoleARN sigv4 test; concise comments
…on Azure - Move the OIDC token file path to translator/util (OIDCTokenFilePath), the single source of truth read by both oidctoken (writer) and sigv4auth (reader); removes the sigv4auth->oidctoken package import. - Emit oidctoken whenever Mode()==AzureVM (AKS resolves to AzureVM), and require credentials.role_arn: Azure VM/AKS reaches AWS only via the oidctoken->sigv4 web-identity chain, so a missing role_arn is a hard translate error, not a silent skip that would defer the failure to runtime. - Drop the unreachable ProviderAuto branch; the extension is only emitted for Azure, so the provider is always Azure.
…detector, gate oidctoken on sigv4auth - Fix CI lint (gosec G101): move the OIDC token path into tool/paths (OIDCTokenFile + LinuxOIDCTokenPath, literal so it stays linux-valued when targeting linux on a Windows build host); util.OIDCTokenFilePath now sources from there. - azuredetector: drop the IsAzureVMCache struct/unused Err and the mutex in favor of atomic.Pointer[bool]; remove the dead probeAzureIMDS indirection var and the isAKS wrapper (IsAKS = envconfig.IsRunningInAKS directly); use for range on the retry loop. - sdkutil: collapse the isAKS/isAzureVM wrappers now that azuredetector returns bool. - Emit oidctoken only when a sigv4auth extension is present (co-located with the consumer, across all sigv4auth pipelines), instead of on ModeAzureVM alone.
995937d to
3440113
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds automatic Azure platform detection to the CloudWatch Agent translator so Azure VM and AKS environments generate the correct OTEL configuration with no customer input, without affecting existing AWS (EC2/ECS/EKS/on-prem) detection.
What changed
translator/util/azuredetectorpackageIsAzureVM()detects an Azure VM by querying the Azure Instance Metadata Service through the contribmetadataproviders/azureprovider (azuremeta.NewProvider().Metadata()). The IMDS HTTP specifics (endpoint,Metadata: trueheader, response parsing) are owned by the contrib provider; this package wraps that call with a short per-attempt timeout, a bounded retry, and result caching — added here because the contrib client ships none of those. Any probe error is treated as retryable and a definitive (non-error) result is cached.IsAKS()reads theRUN_IN_AKSenvironment variable set by the AKS Helm chart.translator/util/sdkutil.go) — AWS-first: Azure is only considered after every AWS signal (RUN_IN_AWS, IRSA, EC2, ECS) is exhausted; EKS keeps precedence over AKS. AKS nodes resolve to theAzureVMhost mode. Detection runs once at startup.ModeAzureVM/ModeAKS(+ short modes) added to the contextSetMode/SetKubernetesMode.resourcedetectionemits[env, azure]for Azure VM and[env, aks, azure]for AKS; theoidctokenextension is emitted on Azure VM (provider: azure) so telemetry egress can later obtain a bearer token from Azure IMDS. Wiringoidctokenas the exporter authenticator (replacing sigv4auth) is follow-up egress work and is intentionally out of scope for platform detection — the extension is emit-only at this stage.Testing
azuremeta.Providerstub covering detected, not-Azure, unreachable, transient-error-not-cached, and result-cached cases, plusRUN_IN_AKSenv stubs — all pass with-race.tocwconfigfixtures for Azure VM and AKS validate the full JSON→YAML translation (includingresourcedetectiondetectors and theoidctokenextension) throughxconfmap.Validate.go build ./...,go vet,gofmt, and the repo-pinnedgolangci-lintare clean.Validated on a real Azure VM
Ran the built
config-translatoron a live Azure VM (Standard_D2s_v3) and diffed the generated OTEL YAML against the golden fixtures:-mode auto, live IMDS): detected AzureVM; output byte-identical tohost_metrics_azurevm_config.yaml— detectors[env, azure]+oidctoken(provider: azure).RUN_IN_AKS=True+RUN_IN_CONTAINER=True): detected AzureVM host + AKS; byte-identical tohost_metrics_aks_config.yaml— detectors[env, aks, azure].-mode ec2→[eks, env, ec2], no Azure detectors;RUN_IN_AWS=Trueon the Azure VM still resolves to EC2 (AWS wins over Azure).